CVE-2026-34942: CWE-129: Improper Validation of Array Index in bytecodealliance wasmtime
CVE-2026-34942 is a medium severity vulnerability in Wasmtime, a WebAssembly runtime by bytecodealliance. It involves improper validation of array indices during string transcoding into utf16 or latin1+utf16 encodings. This flaw allows unaligned pointers to be passed to the host, causing a host panic. Malicious guests can trigger this panic by transferring specific strings with crafted addresses, resulting in a denial of service (DoS) condition. The issue affects multiple Wasmtime versions prior to 24. 0. 7, 36. 0. 7, 42. 0.
AI Analysis
Technical Summary
Wasmtime's implementation of string transcoding to the Component Model's utf16 or latin1+utf16 encodings improperly verifies the alignment of reallocated strings. This improper validation allows unaligned pointers to be passed to the host environment, which triggers a host panic. Since the panic can be induced by malicious guest code transferring specific strings with particular memory addresses, this vulnerability constitutes a denial of service vector controlled by the guest. The vulnerability is identified as CWE-129 (Improper Validation of Array Index). It affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 and is fixed in those versions.
Potential Impact
The vulnerability allows a malicious guest component running in Wasmtime to cause a host panic by passing unaligned pointers during string transcoding. This panic leads to a denial of service condition in the host environment. There is no indication of code execution or data corruption beyond the DoS impact. No known exploits are reported in the wild.
Mitigation Recommendations
Fixes for this vulnerability are available in Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these fixed versions to remediate the issue. Patch status is not explicitly stated beyond these fixed versions, so users should verify their version against these and update accordingly. There is no vendor advisory content provided that states 'no action required' or 'already mitigated.'
CVE-2026-34942: CWE-129: Improper Validation of Array Index in bytecodealliance wasmtime
Description
CVE-2026-34942 is a medium severity vulnerability in Wasmtime, a WebAssembly runtime by bytecodealliance. It involves improper validation of array indices during string transcoding into utf16 or latin1+utf16 encodings. This flaw allows unaligned pointers to be passed to the host, causing a host panic. Malicious guests can trigger this panic by transferring specific strings with crafted addresses, resulting in a denial of service (DoS) condition. The issue affects multiple Wasmtime versions prior to 24. 0. 7, 36. 0. 7, 42. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Wasmtime's implementation of string transcoding to the Component Model's utf16 or latin1+utf16 encodings improperly verifies the alignment of reallocated strings. This improper validation allows unaligned pointers to be passed to the host environment, which triggers a host panic. Since the panic can be induced by malicious guest code transferring specific strings with particular memory addresses, this vulnerability constitutes a denial of service vector controlled by the guest. The vulnerability is identified as CWE-129 (Improper Validation of Array Index). It affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 and is fixed in those versions.
Potential Impact
The vulnerability allows a malicious guest component running in Wasmtime to cause a host panic by passing unaligned pointers during string transcoding. This panic leads to a denial of service condition in the host environment. There is no indication of code execution or data corruption beyond the DoS impact. No known exploits are reported in the wild.
Mitigation Recommendations
Fixes for this vulnerability are available in Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these fixed versions to remediate the issue. Patch status is not explicitly stated beyond these fixed versions, so users should verify their version against these and update accordingly. There is no vendor advisory content provided that states 'no action required' or 'already mitigated.'
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T17:27:08.660Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d806d51cc7ad14da15a669
Added to database: 4/9/2026, 8:06:45 PM
Last enriched: 4/9/2026, 8:21:12 PM
Last updated: 4/9/2026, 10:31:44 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.